abstractplain

Warning: old information. This was written in November 2006!

I’m trying out vpslink virtual private server. Specifically, at first, I’m trying out their Rails on Fedora OS template: Fedora Core 5, Ruby on Rails (RoR), mySQL, and Lighttpd with FastCGI.

Update: nowadays I’d probably use something based around the deprec gem to do most of this setup, though only once I’d through the recipe used by that gem and knew exactly what it was doing on the box. See topfunky demo’ing the deprec gem on ubuntu (on a mac!).

I bought a month of the “link 3″ package - $25 /mth. With just 250 meg of ram, it’s enough to try things out. There’s no setup fee, and you can go month to month (have to give a month’s notice, I think). You don’t buy a template, just a plan (RAM, disk and bandwidth). You can start over and install a new template in 10 mins.

This doesn’t pretend to be a tutorial and I’m not going to maintain it. Unmanaged VPS isn’t for people without some server admin experience. There’s no documentation at all on rails/vpslink, so I thought I’d write up my experiences. If you’re looking for a rails deployment recipe, perhaps start elsewhere: “ Deploying Rails with Pound in Front of Mongrel, Lighttpd, and Apache” for example.

Steps:

• Sign up,
• Get an email sent to you with a password,
• sign in to a control panel,
• choose the fedora core + rails template and press install. Wait 5-10mins on this completing. The basic installation of the fedora core ruby on rails OS template takes up about 600 meg.You can later just reformat with one of the other OS templates.
• Ssh into the box (as root) with the given password.
• Take an inventory:
  • $yum list installed will tell what’s installed and
  • $chkconfig --list tells you what’s set to start up.

Start a directory under source control on this or another machine; every config file you touch (and some you don’t) should be recorded there, so that you can recover from errors and install a next box from scratch, should you want to.

Security, pt 1 We are currently ssh’ing in as root, the password’s compromised, and there’s no firewall up. Let’s fix that…

• Change the root password
• make a different user, put them in the sudoers list, give them a strong password, test a new sshd session with that user, and once that works, quit your ssh session as root
• prevent ssh for root…
• Securing SSH
  • $ sudo vi /etc/ssh/sshd_config
  • ensure you have the following: PermitRootLogin no
  • and reset sshd.
  There are a number of other steps to securing SSH, and there are plenty of tutorials: [1], [2], [3], [4]. Just make sure you can ssh in with your new non-root user before closing your last ssh connection. You don’t want to lock yourself out. Don’t trust that you’re good just because you’ve reset the ssh service and you haven’t been logged out; that’s irrelevant. I’m also looking at “Preventing SSH Dictionary Attacks With DenyHosts“.
• Firewall:
  I used firehol for the first time on this install.
  I don’t want the firewall to lock me out of the box, so I scheduled and tested a cron job for root to bring the firewall down a couple of hours later and email me. (I guess I could have had another job that brought the wall back up again a minute later, closing the window).
  firehol has a “try” command, which generates and runs the new iptables rules for your config file, but rolls back after 30 seconds unless you commit; use it, and test that you can still ssh in while the rules are up. . I don’t know how good vpslink’s support is when you lock yourself out.
  
  You’ll need some tests to run before and after, but that’s your business. If you’ve barged ahead and had mysql, lighttpd, fastcgi running, you’ll see that absent the firewall you can telnet to 3306 (mysql) and whatever port(s) the dispatch.fcgi processes are running on. yuck.
  
  I installed firehol from rpm. Be very wary of the default config in /etc/firehol/firehol.conf - it will lock the box down completely. So delete it or at least rename it, first thing.
  
  This install of firehol had a helpme command which inspected the current box setup and guessed what stuff you might want open on each interface. It’s non-destructive - it just generates a config file to standard out. It recognised and configured everything I was doing, apart from svnserve on port 3690. I whittled the generated config down to a bare minimum, made sure I understood everything, had a look through the generated iptables rules, and ran my tests an unnecessary amount of times before committing.
  
  I’m pretty sure I used chkconfig to register firehol for startup, but haven’t made a note.
  
  

DNS setup
I bought a domain name on on godaddy, and pointed it, to the name servers listed in the vpslink DNS tutorial. That tutorial will help you set up.

Ruby Ok, getting warmer…

ruby 1.8.5 was already done in the rails/fedora OS template.
I confirmed that september’s cgi.rb security patch had already been applied:

$grep -B2 "bad content body" /usr/lib/ruby/1.8/cgi.rb

The output should include:

  if c.nil? || c.empty?
    raise EOFError, "bad content body"

If it’s just “if c.nil?” without c.empty? then it’s missing the patch.

Rails:
Rails 1.1.6 gem set was already installed. VPSLink’s OS template leaves fastcgi and mysql only using pure ruby implementations. Let’s fix that…

ruby / fastcgi
Maybe they’ve updated the template, so let’s check…

$ ruby -e "require 'fcgi.so'"

If it doesn’t barf, great. I got barf:

/usr/lib/ruby/site_ruby/1.8/i386-linux/fcgi.so: 
libfcgi.so.0: cannot open shared object file: 
No such file or directory - /usr/lib/ruby/site_ruby/1.8/i386-linux/fcgi.so (LoadError)

Let’s have a snoop…

$ ldd /usr/lib/ruby/site_ruby/1.8/i386-linux/fcgi.so

…yields:

        libruby.so.1.8 => /usr/lib/libruby.so.1.8 (0x4000c000)
        libfcgi.so.0 => not found
        libpthread.so.0 => /lib/libpthread.so.0 (0x400ee000)
        [...]

Still snooping…

$ sudo find / -name "libfcgi.so.0"

…yields: /usr/local/lib/libfcgi.so.0
So it’s on the box right enough. Hiding in /usr/local/lib, in my case.

$sudo vi /etc/ld.so.conf

add line:

/usr/local/lib

…and reload, with:

$sudo ldconfig -v

This should show that ldconfig is now scanning through /usr/local/lib and finding libfcgi.so.0

 /usr/local/lib:
       libfcgi.so.0 -> libfcgi.so.0.0.0

Test. Now this should work without throwing an error:

$ruby -e "require 'fcgi.so'"

There’s a good post on this at ruby-talk/83282. It was nice to see the Beginning Ruby on Rails ecommerce book also addresses this one in its deployment chapter (~p378, 1st edn).

Here’s more on ld.so.conf, [2], [3].

Ruby-MySQL
Under vpslink’s current rails/ fedora os template, only the pure ruby impl is being used for mysql.

gem install mysql -- --with-mysql-lib=/usr/lib/mysql

The rest of MySQL:
secure it and the already-created mysql box user, which can ssh into the box, currently!

ERROR: "No such file or directory - /tmp/mysql.sock"

To solve this one, find out what socket mysql uses, and tell your rails database.yml config about it…

$mysql_config --socket

…yields (for me)…

/var/lib/mysql/mysql.sock

Put your socket path in config/database.yml for the production database:

socket: /var/lib/mysql/mysql.sock

So, now check rails app can get a mysql connection:

$ruby script/runner "ActiveRecord::Base.connection"

That shouldn’t barf. Run mysql at startup:

$chkconfig mysqld on
$chkconfig --list

Update: RMagick installation

Here’s a quick update on putting imagemagick and rmagick on this platform.

Warning: this is a naive, extremely quick first attempt and may well give you an unstable or insecure installation.

I started by reading Ian White’s write-up, and also noted that Robby Russell said (a long time ago) he had to install from source (on FC3). Let’s try to use the package manager…

sudo yum ImageMagick*

That asterisk is very sloppy. Don’t let me catch you doing that. Figure out which packages are really needed, and install only those. Even if what the wildcard matches today is okay for you, it might not be tomorrow. Repeated installations following exactly the same instructions may yield different results.

Let’s see if the gem will just rmagickally work…

sudo gem install rmagick

For me, that seg faults! /usr/lib/ruby/1.8/yaml.rb:133: [BUG] Segmentation fault

A similar bug is reported here. After getting the same results after a couple of repeats, I just went around the problem by downloading the gem and doing a local install from rubyforge.

So… trying again…

sudo gem install rmagick

This time, the install failed to build something. Let’s find out what the error was; look under “InitializeMagick” in the following file:

less /usr/lib/ruby/gems/1.8/gems/rmagick-1.14.1/config.log

For me the error was: "/usr/bin/ld: cannot find -lfreetype"

So here’s how I solve that. First find out where libfreetype is installed:

sudo find / -iname "*libfreetype*"

Then provide a standard “.so” link to that location:

sudo ln -s /usr/lib/libfreetype.so.6 /usr/lib/libfreetype.so

sudo /sbin/ldconfig

And once more…

sudo gem install rmagick

This time it works. Pay attention to make sure that the samples run ok, as the install will be reported successful regardless. You don’t necessarily need all the samples to work. Some demonstrate functionality you may not need, such as compatibility with certain file formats you won’t be working with.

I tested it out with some basic manipulations of png and jpg from within a rails app.

Finding out what’s installed..

ruby -rrubygems -e "require 'RMagick'; puts Magick::Long_version;"

That’s it for rmagick for now, because I’m not actually using it…

Monitoring memory usage
The basic problem with standard solutions like top are that they give results based on the full server not your little fragment

• Memory_Utilization_Script,
• tool for monitoring within vps environment (requires php),
• Meaning_of_the_beancounters_values,
• And some more forum posts: [1], [2], [3].

Low-memory configuration
Low-memory MySQL / Apache configurations (Have a look at /usr/share/doc/mysql-server-5.0.22/my-medium.cnf and its neighbours), this forum thread,

On burst/peak-proofing the vps memory limits:

• Does the RAM limit refer to “physical” RAM ? forum thread.

The control panel
After a play with the minimal control panel’s reboot button, it got out of sync with reality. (or maybe I turned someone else’s box off, virtually, but I was coding away just fine). It looks like that reboot button doesn’t work (I haven’t read up on how they’ve implemented this virtual “reboot”), so if you’re thinking to save yourself from overzealous firewall config by just rebooting remotely, ensure you have such a mechanism, first…

Summary
I’m more or less happy. VPSLink’s hosting does what it says on the tin. Don’t expect a user manual. Do expect to be up and running in no time, if you know what you’re doing. With no setup fee, it’s cheap to test for a month.
As for the rails template, I’d have expected the c bindings for ruby to talk to mysql and fastcgi (and more security). That’s the whole point of a template - get it done ONCE right, so that all the others don’t have to monkey around with these steps. In fairness to vpslink, it’s early days - they released this FREE template on 14/11/2006. Hopefully, they’ll improve it (and document what is and isn’t there).
Also, remember that you’re not paying for the template; just for the plan.

I haven’t had any problems with the hosting or support (but I’ve only been running for a couple of days and have raised zero tickets).

Corrections and tips very welcome, obviously.

Creating a song and video just by time-line editing some hits on the drums and piano: Amateur - Lasse Gjertsen.

Cameron on the rise of public lynchings in Maputo, Mozambique. (I’m still “on vacation” in the UK).

The Cup Communicator - think walkie-talkies but with cup-and-string inspired interface - by Duncan Wilson, who studied first at Glasgow School of Art.

via boingboing.net, who giveth and taketh away.

Quite a nice track on this new abstract black and white advert for space.nk (nov 2006). I thought it sounded a bit like Stina Nordenstam, with a tiny hint of Billy Holiday at the corner of the mouth. And a bit like Goldfrapp, as the post on what’s that tune suggested. Turns out that it is “Searching” by Hanne Hukkelberg.

Listen.

Lyrics (scroll up for a nice pic).

I found the the answer here, and not on commercial breaks and beats.

This blog post by SmugMug’s CEO on how he thinks using Amazon’s Simple Storeage Service to run the photo-sharing site is saving him $500,000 USD / year. See also his post Amazon + Two Guys + $0 = Next YouTube. See also Web Services Success Stories at Amazon.

(”La madre degli idioti è sempre incinta”). This and other italian proverbs at wikiquote.org.

A levitating wirelessly powered lightbulb, and lots more background, including cool movies.

Here’s an MIT lab and a nuts and volts article on magnetic levitation.

This is by Jeff Lieberman, apparently one of the scientists on BBC2’s “Battle of the Geeks”.

More such “kinetic sculptures” at bea.st.

Jeff also has some nice photography, including high-speed stuff and info on how to double-trigger. This one of coloured chalks exploding, puts me in mind of the toryglen sony bravia ad (“the making of” is necessary to avoid the latter being perceived as unimpressive CGI.

The Art and Craft of Toy Design - a blog for two classes at the Parsons New School for Design, “Making Wireless Plush Toys” and “Toy Concept Development and Design”.

Talks from TED (Technology Entertainment Design).

From TED’s website: “Each year, TED hosts some of the world’s most fascinating people: Trusted voices and convention-breaking mavericks, icons and geniuses. The talks they deliver have had had such a great impact, we thought they deserved a wider audience. So now, for the first time, we’re sharing them with the world at large… Each week, we’ll release a new talk to inspire, intrigue and awaken the imagination.”